Bug#622146: nfs-kernel-server: error Encryption type not permitted
On 11/14/2011 04:57 PM, Mc.Sim wrote:
> Hello!
Hi
> I have Win2k8 R2 as a domain controller (as KDC for NFS).
> There is an NFS client on Debian wheezy: hostname - debian:
> I tried to uncomment
> # default_tgs_enctypes = des3-hmac-sha1
> # default_tkt_enctypes = des3-hmac-sha1
> # permitted_enctypes = des3-hmac-sha1
> and comment:
> default_tgs_enctypes = des-cbc-crc
> default_tkt_enctypes = des-cbc-crc
> permitted_enctypes = des-cbc-crc
Why would that work without changing anything in your Kerberos keytabs?
> but always when trying to connect to the server,
> root@debian:~# mount -vvv -t nfs4 -o sec=krb5 archiv:/nfs /mnt2
> And get the error in log on server:
> ARCHIV ~ # tailf /var/log/daemon.log
> Nov 14 18:26:42 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type not permitted
> Nov 14 18:26:42 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type not permitted
> Nov 14 18:29:30 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type not permitted
> Nov 14 18:29:30 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type not permitted
> Nov 14 18:39:05 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type not permitted
> Nov 14 18:39:20 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type not permitted
Expected when des3-hmac-sha1 is not in keytab.
> ==============================================
> In this case, the second mount on the client only after a servise nfs-common restart, because mount hangs and stops due to a timeout.
> When I comment on all the settings on the server and client:
>
> # allow_weak_crypto = true
> # default_tgs_enctypes = des-cbc-crc
> # default_tkt_enctypes = des-cbc-crc
> # permitted_enctypes = des-cbc-crc
> # default_tgs_enctypes = des3-hmac-sha1
> # default_tkt_enctypes = des3-hmac-sha1
> # permitted_enctypes = des3-hmac-sha1
> # permitted_enctypes = des-cbc-crc
> And I get message on server-log:
>
> Nov 14 18:50:23 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No supported encryption types (config file error?)
> Nov 14 18:50:23 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No supported encryption types (config file error?)
>
> Help me, please for this problem.
This will only work if you have other possibilities in the Kerberos keytab.
> p.s. On the client (hostname debian) as an NFS server is installed and if I run:
> root@debian:~# grep -v ^# /etc/exports
> /nfs gss/krb5(rw,sync,fsid=0,crossmnt,no_subtree_check)
> root@debian:~# mount -v -t nfs4 -o sec=krb5 debian:/ /mnt
> mount.nfs4: timeout set for Mon Nov 14 18:58:10 2011
> mount.nfs4: trying text-based options 'sec=krb5,addr=10.0.0.50,clientaddr=10.0.0.50'
> debian:/ on /mnt type nfs4 (rw,sec=krb5)
> root@debian:~# mount | grep nfs
> nfsd on /proc/fs/nfsd type nfsd (rw)
> rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
> debian:/ on /mnt type nfs4 (rw,sec=krb5,addr=10.0.0.50,clientaddr=10.0.0.50)
So it worked, I guess that's the initial scenario where you are using
des-cbc-crc?
I myself have little to no experience with Kerberos, but I would try
klist to see what's in your keytabs (/etc/krb5.keytab) and related tools
to add entries to the keytab when needed. This does not look like an NFS
problem to me or am I mistaken?
Cheers
Luk
Reply to: